Back to skill

Security audit

Gekko Yield

Security checks across malware telemetry and agentic risk

Overview

This is a real-funds DeFi skill whose core purpose is disclosed, but its auto-compound path gives an agent broad transaction-signing authority with weak local validation and limited confirmation safeguards.

Install only if you are comfortable with a hot-wallet tool that can approve tokens and submit live Base transactions. Use a dedicated wallet with limited funds, avoid leaving idle USDC in the wallet before running compound unless you intend all of it to be deposited, and treat Odos-based compounding as a high-trust external transaction path that should be reviewed before an agent runs it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities that require access to environment variables and networked blockchain interactions, but the manifest does not declare corresponding permissions. This creates a transparency and enforcement gap: an agent or user may invoke the skill without realizing it can access sensitive wallet material and broadcast on-chain transactions affecting real funds.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documentation introduces an auto-compounding capability not reflected in the stated skill scope, which creates a scope mismatch between what an agent may believe the skill is authorized to do and what it may actually execute. In an agentic blockchain context, undocumented or out-of-manifest transaction paths increase the chance of unintended asset movement and weaken reviewability.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a Moonwell USDC vault interaction, but the documented compound flow expands into external token swaps via Odos. That materially changes the trust and risk model by introducing third-party routing, slippage, token approval, and quote-manipulation exposure that a user or agent may not expect from a simple vault skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest and high-level description omit that auto-compounding performs token swaps through an external aggregator before redepositing. That missing disclosure is dangerous because swaps add counterparty, routing, slippage, allowance, and asset-conversion risk beyond a simple vault deposit, so users may authorize behavior they did not intend.

Intent-Code Divergence

Low
Confidence
71% confidence
Finding
The security section asserts that transactions are previewed before sending, but the documented command flows do not show any confirmation or preview step. In a fund-managing skill, unsupported safety claims can cause users to over-trust automation and approve deposits, withdrawals, or swaps without verifying destination, amount, or route.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script’s advertised purpose is earning yield on USDC in a specific vault, but it also discovers non-USDC reward tokens and swaps them through a third-party DEX aggregator before depositing. This expands the skill’s authority from simple vault interaction to arbitrary token disposal and routing, creating asset-loss and trust-boundary risks if the swap path, token set, or quote source is manipulated.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code obtains executable transaction calldata from Odos and forwards it directly with walletClient.sendTransaction, effectively granting an off-chain API authority to decide what contract is called and with what calldata. If the API, network path, or returned payload is compromised, the wallet could sign an unintended transaction that transfers value, approves assets, or interacts with arbitrary contracts beyond the stated vault workflow.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The prompt asks 'Use custom RPC URL? [N]:' but the code treats any non-empty input as the RPC URL itself, so entering 'y' results in rpc='y' rather than prompting for a URL. In a financial wallet setup flow, this can silently create a broken or attacker-directed configuration if users paste unexpected values, causing failed transactions, misleading behavior, or use of an untrusted RPC endpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions describe deposits, withdrawals, and reward-token swaps without clear warnings about irreversible on-chain execution, smart contract risk, slippage, reward-token price volatility, approval risk, or potential loss. In a DeFi skill, omission of these warnings can cause users or agents to treat complex financial actions as routine, increasing the likelihood of uninformed asset loss.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest uses broad 'Use when' language covering deposits, withdrawals, APY checks, and reporting without clear trigger boundaries or restrictions. In an agentic setting, vague invocation criteria increase the chance the skill is selected for sensitive wallet actions in contexts where the user only intended informational queries, leading to unintended fund movements.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not warn that auto-compound includes automatic token swaps, even though swapping is materially riskier than simply claiming rewards or depositing USDC. In DeFi, this omission is especially dangerous because users may not expect approvals, price impact, MEV exposure, routing through third-party infrastructure, or receipt of less USDC than anticipated.

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
94% confidence
Finding
Fetch('https://api.odos.xyz/sor/assemble', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
pathId: string,
  userAddress: Address
): Promise<OdosAssembleResponse | null> {
  const response = await rateLimitedFetch('https://api.odos.xyz/sor/assemble', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
94% confidence
Finding
https://api.odos.xyz/

Unpinned Dependencies

Low
Category
Supply Chain
Content
"compound": "npx tsx compound.ts"
  },
  "dependencies": {
    "viem": "^2.21.0"
  },
  "devDependencies": {
    "tsx": "^4.19.0",
Confidence
90% confidence
Finding
"viem": "^2.21.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"viem": "^2.21.0"
  },
  "devDependencies": {
    "tsx": "^4.19.0",
    "typescript": "^5.6.0"
  }
}
Confidence
80% confidence
Finding
"tsx": "^4.19.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "tsx": "^4.19.0",
    "typescript": "^5.6.0"
  }
}
Confidence
72% confidence
Finding
"typescript": "^5.6.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/config.ts:224

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/setup.ts:56